firewall nat rule

Hi Security Experts,

I am facing a weird problem.

Firewall is learning route on outside interface, but packet tracer shows that a packet destined to that IP is being sent out on inside interface.

The packet should come on remote1 interface and should go out outside interface, but running packet tracer on firewall shows that it matches nat rule between inside and remote1 interface and sends packet out on inside interface, which is wrong.

It tells me that both the networks can be reached through remote1 as well as outisde interface, which is not correct. In 8.3 or higher natting, the nat search is done from top to bottom, so the as soon as firewall hits a matching rule, it would take that.

My suggestion to you would be to make your nats very specific rather than keeping them so open.

A packet received on inside interface will not be translated when it is going out on remote interface destined to 10.10.0.0 network, right? The above statement also tells that 10.10.0.0 network resides on remote interface, correct?

Now how about when a packet is received on remote interface sourced from an IP in 10.10.0.0 network. Will this packet *ALWAYS* get forwarded to inside interface as per the above statement?If yes, then the above statement is bidirectional, right?

firewall nat rule

Hi Kashish,

Answer to your first post:

Yes the nat works bi-directional. But the question is why do you have such an open /16 network defined, make it more specific, probably a /24 network to segregate your two networks behind different interfaces. Moreover, it would be better idea not to have same network addresses behind two different interfaces on the ASA.

Nats should be created, when you have a very specific source network and destination network to be defined, so that the traffic hits only that statement. Now I am not sure how your network addressing is done but make sure you do not have the same network IP's behind different interfaces.

In 8.4 software, your order of ooperation would be, NAT---> ACL----> Route-lookup

The packet would first be un-translated, then the acl would be checked, and then routed through the correct destination interface.

firewall nat rule

>>But the question is why do you have such an open /16 network defined, make it more specific, probably a /24 network to segregate your two networks behind different interfaces. Moreover, it would be better idea not to have same network addresses behind two different interfaces on the ASA.

We have this ASA running for years and IP address scheme was laid out long back. Now because ASA has changed its behavior, we are required to put specific nat statements. This will be too tiring for us

Actually we were running 8.2(2)16 code before and we did not face any issue. I noticed that ASA was taking forwarding decisions based on route-lookup in 8.2.

Problems are happening on 8.4(4)1. And that is because default ASA behavior has changed. I have gone through the release notes that you mentioned in another post, but this default ASA behavior just does not make sense

Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...
view more